You can configure single sign-on (SSO) between Operations Manager and CA Identity and Access Management.
Creating a partnership between CA and Operations Manager involves the following steps:
Installing and configuring the prerequisites. For more information, see Prerequisites.
Configuring CA SSO as an identity provider (IDP). For more information, see Configure CA as the SAML identity provider for Operations Manager.
Configuring the service provider (SP). For more information, see Configure Operations Manager as the SAML service provider for CA single sign-on.
To configure SSO between CA and Operations Manager, you must have:
An installation of CA SSO v12.52 or later.
Configured user store and session store.
A signed certificate by a certificate authority (CA).
A protected IDP URL with CA SSO by creating:
An Operations Manager environment at https://console.SYSTEM-DOMAIN, where SYSTEM-DOMAIN
is the system domain of your Operations Manager installation.
To configure CA SSO as the SAML IDP for Operations Manager:
Download the SP metadata.
https://login.SYSTEM-DOMAIN/saml/metadata
, where SYSTEM-DOMAIN
is the system domain of your Operations Manager installation.Follow the procedure in Configure TAS for VMs as a Service Provider for SAML in Configuring Authentication and Enterprise SSO for TAS for VMs to set the IDP metadata on Operations Manager.
Paste the contents of the XML file into the Provider metadata field.
Click Save.
Return to the Tanzu Operations Manager Installation Dashboard.
Click Review Pending Changes.
Click Apply Changes.
This section explains how to configure Operations Manager as the SAML SP for CA SSO.
To configure IDP and SP entities in CA SSO:
Go to https://login.SYSTEM-DOMAIN/
, where SYSTEM-DOMAIN
is the system domain of your Operations Manager installation.
Log in to CA SSO.
Go to Federation.
Click Partnership Federation.
Click Entity.
Click Create Entity.
To create a local entity, configure the fields with the following values:
https://ca-technologies.xxx.com
.urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
and urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
to select both email address and unspecified as supported NameID formats.To create a remote entity:
SYSTEM-DOMAIN
is the system domain of your Operations Manager installation.Operations Manager signs the outgoing SAML authentication requests.
To configure a partnership between CA SSO and Operations Manager:
Go to https://login.SYSTEM-DOMAIN/
, where SYSTEM-DOMAIN
is the system domain of your Operations Manager installation.
Log in to CA SSO.
Go to Federation.
Click Partnership Federation.
Click Create Partnership.
To configure the partnership, configure the fields with the following values:
Click Next.
On the Federation Users page, accept the default values.
Click Next.
To complete the Name ID Format section:
Operations Manager does not support processing SAML Assertion Attributes at this time. You can skip filling out the Assertion Attributes fields.
Click Next.
To complete the SSO and SLO section:
In the Audience field, enter http://login.SYSTEM-DOMAIN, where SYSTEM-DOMAIN
is the system domain of your Operations Manager installation.
The Audience field requires http://
instead of https://
. This is only a naming convention within the schema and does not determine connection security.
Click Next.
To complete the Configure Signature and Encryption section:
Important Operations Manager does not support encryption options at this time.
To activate the partnership, expand the Action drop-down menu for your partnership and click Activate.